Flooding-based distributed denial-of-service (DDoS) attack presents a very serious
threat to the stability of the Internet. In a typical DDoS attack, a large number of compromised hosts are amassed to send useless packets to jam a victim, or its Internet connection, or both. In the last two years, it is discovered that DDoS attack methods and tools are becoming more sophisticated, effective, and also more difficult to trace to the real attackers. On the defense side, current technologies are still unable to withstand large-scale attacks. The main purpose of this paper is therefore twofold. The first one is to suggest an efficient measure based on congestion control. The second is to find an adequate queue model that can be used in the router for detecting DDoS attack.